diff options
Diffstat (limited to 'dom/base/test/browser_bug593387.js')
-rw-r--r-- | dom/base/test/browser_bug593387.js | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/dom/base/test/browser_bug593387.js b/dom/base/test/browser_bug593387.js new file mode 100644 index 0000000000..aa4f9dc0f7 --- /dev/null +++ b/dom/base/test/browser_bug593387.js @@ -0,0 +1,70 @@ +/* + * Test for bug 593387 + * Loads a chrome document in a content docshell and then inserts a + * X-Frame-Options: DENY iframe into the document and verifies that the document + * loads. The policy we are enforcing is outlined here: + * https://bugzilla.mozilla.org/show_bug.cgi?id=593387#c17 +*/ + +add_task(function* test() { + yield BrowserTestUtils.withNewTab({ gBrowser, + url: "chrome://global/content/mozilla.xhtml" }, + function* (newBrowser) { + // NB: We load the chrome:// page in the parent process. + yield testXFOFrameInChrome(newBrowser); + + // Run next test (try the same with a content top-level context) + yield BrowserTestUtils.loadURI(newBrowser, "http://example.com/"); + yield BrowserTestUtils.browserLoaded(newBrowser); + + yield ContentTask.spawn(newBrowser, null, testXFOFrameInContent); + }); +}); + +function testXFOFrameInChrome(newBrowser) { + // Insert an iframe that specifies "X-Frame-Options: DENY" and verify + // that it loads, since the top context is chrome + var deferred = {}; + deferred.promise = new Promise((resolve) => { + deferred.resolve = resolve; + }); + + var frame = newBrowser.contentDocument.createElement("iframe"); + frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny"; + frame.addEventListener("load", function loaded() { + frame.removeEventListener("load", loaded, true); + + // Test that the frame loaded + var test = this.contentDocument.getElementById("test"); + is(test.tagName, "H1", "wrong element type"); + is(test.textContent, "deny", "wrong textContent"); + deferred.resolve(); + }, true); + + newBrowser.contentDocument.body.appendChild(frame); + return deferred.promise; +} + +function testXFOFrameInContent(newBrowser) { + // Insert an iframe that specifies "X-Frame-Options: DENY" and verify that it + // is blocked from loading since the top browsing context is another site + var deferred = {}; + deferred.promise = new Promise((resolve) => { + deferred.resolve = resolve; + }); + + var frame = content.document.createElement("iframe"); + frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny"; + frame.addEventListener("load", function loaded() { + frame.removeEventListener("load", loaded, true); + + // Test that the frame DID NOT load + var test = this.contentDocument.getElementById("test"); + Assert.equal(test, null, "should be about:blank"); + + deferred.resolve(); + }, true); + + content.document.body.appendChild(frame); + return deferred.promise; +} |